CA certificate policy

Use this directive when your MCP server containers need to reach internal services (private registries, proxies, or APIs) that are secured by a certificate authority not trusted by default. Injecting your corporate CA certificate ensures containers can verify TLS connections without disabling certificate verification.

You'll need either the PEM-encoded certificate or a URL from which it can be fetched, and the Enterprise Manager already deployed and reachable by clients.

Configure the CA certificate directive

Add the ca_certificate directive to your enterprise configuration. Supply either pem (inline certificate) or url (fetched at runtime), but not both.

Inline PEM

Use this when you want to embed the certificate directly in your configuration:

values.yaml
enterpriseConfig:
  ca_certificate:
    value:
      pem: |
        -----BEGIN CERTIFICATE-----
        <BASE64_ENCODED_CERTIFICATE>
        -----END CERTIFICATE-----
    enforcement: 'enforced'

URL

Use this when your CA certificate is hosted at a stable internal URL and you want to avoid embedding it in the configuration:

values.yaml
enterpriseConfig:
  ca_certificate:
    value:
      url: 'https://pki.example.com/ca.pem'
    enforcement: 'enforced'

note

url is fetched by the ToolHive client at startup, so it must be reachable from the machines running ToolHive, not just from inside the MCP containers.

After updating your configuration, apply the change.

Next steps

Build environment policy to inject proxy settings or internal endpoints into MCP containers
Registry policy to enforce a specific registry URL
Non-registry servers policy to block servers outside the registry
Degraded mode to define client behavior when the Enterprise Manager is unreachable

Configure the CA certificate directive​

Inline PEM​

URL​

Next steps​

Configure the CA certificate directive

Inline PEM

URL

Next steps